WLAN Security. Giwhan Cho Distributed/Mobile Computing System Lab. Chonbuk National University

Transcription

1 WLAN Security Giwhan Cho Distributed/Mobile Computing System Lab. Chonbuk National University

2 Content WLAN security overview i WLAN security components pre-rsn (Robust Security Network) security RSN security WPA (Wi-Fi Protected Access) WLAN security s other issues Ad-hoc security pre-authentication & roaming security Chonbuk National University 2003/06/26 KRnet2003 2/44 by Gihwan Cho

3 Overview (1/2) IEEE based WLAN security issues outflow of secrecy hacking illegal usage Authentication Access Control Integrity Confidentiality eavesdropping forgery Chonbuk National University 2003/06/26 KRnet2003 3/44 by Gihwan Cho

4 Increasing Protection Overview (2/2) : WLAN Security Trends VPN Multiple Solutions Validated WPA (802.1x, TKIP) i Ratified WPA Compliance For Logo Transition Industry To Standard WEP + Dynamic ReKey Nothing WEP Q1 03 Q2 03 Q3 03 Q4 03 Q1 04 Q2 04 Q3 04 Q4 04 Available at Launch Source : Dell/Microsoft/Intel Road Show Chonbuk National University 2003/06/26 KRnet2003 4/44 by Gihwan Cho

5 Content WLAN security overview i WLAN security components pre-rsn (Robust Security Network) security RSN security WPA (Wi-Fi Protected Access) WLAN security s other issues Ad-hoc security pre-authentication & roaming security Chonbuk National University 2003/06/26 KRnet2003 5/44 by Gihwan Cho

6 802.11i Security Components pre-rsn security IEEE authentication open system authentication shared key authentication WEP (Wired Equivalent Privacy) data privacy RSN security security association management RSN negotiation procedures IEEE 802.1x authentication IEEE 802.1x key management data privacy mechanism TKIP (Temporal Key Integrity Protocol) CCMP (Counter-Mode-CBC-MAC Protocol) Chonbuk National University 2003/06/26 KRnet2003 6/44 by Gihwan Cho

7 WLAN Authentication(1/7) Authentication degrees open (default) system authentication non-standard authentication but provided by vendors shared key authentication Any Closed System MAC Address PSK (Pre-Shared Key) high security Chonbuk National University 2003/06/26 KRnet2003 7/44 by Gihwan Cho

8 WLAN Authentication (2/7) ANY open system authentication AP(Access Point) permits everyone to authenticate successfully null authentication process - default value Router SSID : A AP SSID : B Authentication Integrity SSID : A SSID : ANY SSID : A Access Control Confidentiality MN Chonbuk National University 2003/06/26 KRnet2003 8/44 by Gihwan Cho

9 WLAN Authentication(3/7) Closed system AP accepts only client which of correct SSID deny ANY AP doesn t broadcast SSID in beacon Oh! non-safe SSID is broadcasted in the clear text by the probe request of client => attack by only sniffing the probe request packets Chonbuk National University 2003/06/26 KRnet2003 9/44 by Gihwan Cho

10 WLAN Authentication (4/7) Closed system example and related security issues Router SSID : A AP SSID : B MN SSID : A SSID : ANY Authentication Integrity Access Control Confidentiality Chonbuk National University 2003/06/26 KRnet /44 by Gihwan Cho

11 WLAN Authentication (5/7) MAC address system MAC access control MAC ACLs(Access Control lists) lists the MAC addresses with permission to use the network if the MAC address don t appear in the list, not permit unlisted MN MAC filtering deny or bridge the indicated MAC address Oh! non-safe.. MAC address can be changed at will => attack need only to eavesdrop or sniff the WLAN to identify those MAC addresses permitted access (MAC address is always transmitted in an unencrypted form) Chonbuk National University 2003/06/26 KRnet /44 by Gihwan Cho

12 WLAN Authentication (6/7) MAC address access control Router Access Control List : MAC A MAC B AP Access Control List : MAC A MAC B MAC C MAC : A MAC : F MAC : C Authentication Integrity MN Access Control Confidentiality Chonbuk National University 2003/06/26 KRnet /44 by Gihwan Cho

13 WLAN Authentication (7/7) PSK authentication shared key authentication utilize a shared key with a challenge and a response i.e., WEP STA AP Authentication request Challenge (Random) Response (Random encrypted with shared Key) Success if decrypted value matches random Chonbuk National University 2003/06/26 KRnet /44 by Gihwan Cho

14 WEP Data Privacy (1/4) WEP IEEE b standard RC4 algorithm pre-shared key authentication 64 bit WEP : 40-bit shared secret key + 24bits Initialization Vector(IV) Authentication Integrity? Access Control Confidentiality Chonbuk National University 2003/06/26 KRnet /44 by Gihwan Cho

15 WEP Data Privacy (2/4) 24bit 40bit Initialization Vector Seed WEP Secret Key PRNG (RC4) Key Sequence IV Ciphertext Plain Text Integrity Algorithm (CRC32) 32bit Integrity Check Value(ICV) Message WEP Encipherment block diagram Chonbuk National University 2003/06/26 KRnet /44 by Gihwan Cho

16 WEP Data Privacy (3/4) Secret Key IV Seed WEP PRNG (RC4) Key Sequence Plain text Integrity Algorithm (CRC32) ICV Ciphertext ICV ICV=ICV? WEP Decipherment block diagram Chonbuk National University 2003/06/26 KRnet /44 by Gihwan Cho

17 WEP Data privacy (4/4) WEP compromises WEP flaws keystream Reuse (IV short length/reuse permission) weak CRC-32 (linear/unkeyed message integrity check) no mutual protection no replay protection Attacks eavesdrop on message with same IV; traffic injection intercept packets for receiver and flips bit + change the appropriate bits in CRC to match the forged bit man-in-the middle attack : rogue AP or rogue client replay, impersonation; authentication spoofing Chonbuk National University 2003/06/26 KRnet /44 by Gihwan Cho

18 RSN Security Overview in 2000, IEEE Task Group i(tgi) develops enhanced security for standard (labeled RSN) three main pieces organized into two layers 1 security association management 2 TKIP 3 CCMP 802.1x : provides framework for robust user authentication and encryption key distribution (upper layer) provide enhanced data integrity over WEP (low layer) Authentication OK! Integrity Authorization Confidentiality Chonbuk National University 2003/06/26 KRnet /44 by Gihwan Cho

19 Security Association Management Laptop computer EAP Over LANs(EAPOL) Port connect Access blocked Association-Request + RSN IE 1. RSN negotiation procedure Probe Beacon +RSN IE Association-Response EAP Over RADIUS Ethernet asd Radius Server EAPOL-Start 2. IEEE 802.1x authentication EAP-Request/Identity EAPOL RADIUS EAP-Response/Identity EAP-Response(credentials) EAP-Request Radius-Access-Request Radius-Access-Challenge Radius-Access-Request 3. IEEE 802.1x key management EAPOL-Key (key exchange) Radius-Access-Accept ( privacy security association) EAP-Success Access allowed 4. Data protection Chonbuk National University 2003/06/26 KRnet /44 by Gihwan Cho IE : Information Element PMK

20 1. RSN Negotiation Procedure (1/2) AP advertises network security capabilities to STAs(STAtion) SSID in probe beacon, RSN IE STA selects authentication suite and unicast cipher suite in association request RSN IE Format Chonbuk National University 2003/06/26 KRnet /44 by Gihwan Cho

21 1. RSN Negotiation Procedure (2/2) ASE (Authentication Suite Element) default : 802.1x auth. suite CSE (Cipher Suite Element) default : AES cipher suite OUI Type Meaning OUI Type Meaning 00:00:00 0 None 00:00:00 0 None 00:00:00 1 Unspecified authentication over 802.1x : default 00:00:00 1 WEP 00:00:00 2 TKIP 00:00:00 00:00:00 00:00: Any Pre-Shared Key over 802.1x Reserved Vendor Specific 00:00:00 00:00:00 00:00: Any Reserved for AES cipher : default Reserved Vendor Specific ASE and CSE Suite selector frame Chonbuk National University 2003/06/26 KRnet /44 by Gihwan Cho

22 x Authentication (1/5) EAP(Extended Authentication Protocol) (rfc 2284) port based filtering establish a mutually authenticated session key shared by AS (Authentication Server) and STA create PMK (Pairwise Master Key) Chonbuk National University 2003/06/26 KRnet /44 by Gihwan Cho

23 x Authentication (2/5) 802.1x port based authentication to Internet Supplicant s System Supplicant PAE 1 2 Authenticator s System Services Offered by Authenticator (e.g. Bridge Relay) Controlled port Port Authorize Authenticator PAE Uncontrolled port Authentication Server s System Authentication Server LAN PAE : Port Access Entity control flow data flow Chonbuk National University 2003/06/26 KRnet /44 by Gihwan Cho

24 x Authentication (3/5) EAP architecture TLS /TTLS SRP AKA CHAP-MD5 Authentication Layer EAP APIs EAP EAP Layer EAPOL PPP NDIS APIs Data Link Layer Chonbuk National University 2003/06/26 KRnet /44 by Gihwan Cho

25 x Authentication (4/5) EAP-TLS(Transport Layer Security) Client AP AS EAPOL-Start EAP-Response /Identity (My ID) EAP-Response/type EAP-TLS (ClientHello(random1)) EAP-Response/type EAP-TLS (Client_ certificate,changeciphersuite, finished) EAP-Response/type EAP-TLS EAP-Request/Identity EAP-Request/type EAP-TLS(TLS-start) EAP-Request/type EAP-TLS ServerHello (randmom2), Server_ certificate) MasterKey = TLS-PRF(PreMasterKey, master secret random1 random2) EAP-Request/type EAP-TLS (Change CipherSuite, finished) PMK = TLS-PRF(MasterKey, client EAP encryption random1 random2) Chonbuk National University 2003/06/26 KRnet2003 EAP-Success 25/44 by Gihwan Cho

26 x Authentication (5/5) : EAP Methods Method Common Implementation Authentication attributes Secret available to server standard Generate WEP key Wireless security MD5 Challenge-based password One-way auth. no RFC1994 RFC2284 no poor TLS Certificate-based two-way auth. mutual auth. no RFC2716 yes best TTLS PEAP LEAP Server auth. via certificates Client auth via another method Server auth. via certificates Client auth via another method Two-way challenge-based password mutual auth. mutual auth. mutual auth. Chonbuk National University 2003/06/26 KRnet /44 by Gihwan Cho yes Via PAP depends on EAP method draft-ietfpppexteap-ttls- 01.txt draftjoseffsonpppexttlseap- 06.txt yes yes better better no proprietary yes good

27 x Key Management (1/4) : Pairwise Key Hierarchy Master Key (MK) Pairwise Master Key (PMK) = TLS-PRF(MasterKey, client EAP encryption clienthello.random serverhello.random) Pairwise Transient Key (PTK) = EAPoL-PRF(PMK,AP Nonce STA Nonce AP MAC Addr STA MAC Addr) Key confirmation Key (KCK) PTK bits Key Encryption Key (KEK) PTK bits Temporal Key (TK) PTK bits 256- n 802.1x key management step Chonbuk National University 2003/06/26 KRnet /44 by Gihwan Cho

28 x Key Management (2/4) : 4-Way Handshake Client AP PMK PMK EAPoL-Key (Reply Required, Unicast, ANonce) Pick Random SNonce, Drive PTK = EAPoL-PRF(PMK, ANonce SNonce AP MAC Addr STA MAC Addr) EAPoL-Key (Unicast, Snonce, MIC, STA RSN IE) Pick Random ANonce EAPoL-Key (Reply Request, Install PTK, Unicast, Anonce, MIC, AP RSN IE) Drive PTK EAPoL-Key (Unicast, MIC) Install TK Install TK Chonbuk National University 2003/06/26 KRnet /44 by Gihwan Cho

29 x Key Management (3/4) : Group Key Handshake Client AP PTK PTK EAPoL-Key (All Keys Installed, Ack, Group Rx, Key Id, Group, RSC, GNonce, MIC, GTK) Pick Random GNonce, Pick Random GTK Encrypt GTK with KEK Decrypt GTK EAPoL-Key (Group, MIC) Unblocked data traffic Unblocked data traffic GTK : Group Transient Key RSC : Replay Sequence Counter Chonbuk National University 2003/06/26 KRnet /44 by Gihwan Cho

30 3. Data Protection (4/4) : RSN TKIP pairwise key hierarchy EAPOL Master Key From Authentication Server EAPOL Authentication (STA)/RADIUS Attribute (AP) EAPOL Pairwise Master Key(256b) Infrastructure (ULA) only PN. PKeyID STA and AP Re-keying protocol EAPOL-KEY exchange Pairwise Nonce (KON, SN) PMK KON, SN TA RA Pairwise Transient Key (PTK) = PRF-512 (PMK, Pairwise key expansion, Min(TA,RA) Max(TA,RA) KON SN) EAPOL-Key EAPOL-Key Temporal TKIP Temporal Key owner Temporal Key owner Enc Key MIC Key Enc Key TX MIC Key RX MIC Key L(PTK, 0, 128) L(PTK, 128, 128) L(PTK, 256, 128) L(PTK, 384, 64) L(PTK, 448, 64) PKeyId SC RA TA TKIP Mixing Function TKIP Encryption Key TKIP Michael Seed(IV,RC4Key) MPDU Chonbuk National University 2003/06/26 KRnet /44 by Gihwan Cho RC4 SC : Sequence Count RA : Receiver MAC Address TA : Transmitter MAC Address Pkey : Pairwise Key KON : Key Owner Nonce SN : Non-Key owner Nonce ULA : Upper Layer Authentication

31 4. Data Protection(1/5) : TKIP TKIP : Temporal Key Integrity Protocol Designed as a wrapper around WEP can be implemented in software reuses existing WEP hardware runs WEP as a sub-component TKIP design challenges against WEP s weakness prevent key reuse prevent data forgery prevent replay attacks prevent man-in-the middle attack Chonbuk National University 2003/06/26 KRnet /44 by Gihwan Cho

32 4. Data Protection (2/5) : TKIP Temporal Key TA Phase 1 key mixing TTAK Key Phase 2 key mixing WEP seed(s) (represented as WEP IV + RC4 key) MIC Key SA + DA + Plaintext MSDU Data MIC TKIP sequence counter(s) Plaintext MSDU + MIC Fragment(s) Plaintext MPDU(s) TKIP Encapsulation Block Diagram WEP Encapsulation Ciphertext MPDU(s) TA : Transmitter MAC Address SA : Source MAC Address DA : Destination MAC Address TTAK : Temporary TA Key MSDU : MAC Service Data Unit MPDU : MAC Protocol Data Unit IV : Initialization vector MIC : Message Integrity Code Chonbuk National University 2003/06/26 KRnet /44 by Gihwan Cho

33 4. Data Protection(3/5) : TKIP Temporal Key TA Phase 1 key mixing Ciphertext MPDU MIC Key TTA K Key TKIP sequence counter Unmix IV WEP IV Phase 2 Key mixing In sequence - MPDU Out - of - sequence MPDU WEP Seed WEP Decapsulation Plaintext MPDU MPDU with failed WEP ICV Reassemble SA + DA + Plaintext MSDU MIC MIC MIC MSDU with failed TKIP MIC Plaintext MSDU MIC = MIC? Countermeasures TKIP Decapsulation Block Diagram Chonbuk National University 2003/06/26 KRnet /44 by Gihwan Cho

34 4. Data Protection(4/5) : CCMP CCMP : Counter-Mode-CBC-MAC Protocol CCMP properties based on AES (Advanced Encryption Standard) in CCM mode CCM has a security level as good as other modes CBC-MAC + CTR (CounTeR) based on a block cipher CBC-MAC : used to compute a MIC on plaintext CTR mode : used to encrypt the payload and MIC temporal key = PTK bits ( ), GTK bits (0-127) 128bit TK is used for confidentiality and encryption AES overhead requires new AP hardware long-term solution Chonbuk National University 2003/06/26 KRnet /44 by Gihwan Cho

35 4. Data Protection(5/5) : CCMP Packet Sequence Number Construct IV And CTR IV CTR Plaintext MPDU Encode Packet Sequence Number Compute And Add CBC-MAC Compute Mode Encryption Ciphertext MPDU Key CCM for a Wireless LAN MPDU Chonbuk National University 2003/06/26 KRnet /44 by Gihwan Cho

36 Content WLAN security overview i WLAN security components pre-rsn (Robust Security Network) security RSN security WPA (Wi-Fi Protected Access) WLAN security s other issues Ad-hoc security pre-authentication & roaming security Chonbuk National University 2003/06/26 KRnet /44 by Gihwan Cho

37 Wi-Fi Protected Access (1/2) User authentication 802.1x + Extensible Authentication Protocol (EAP) Encryption Temporal Key Integrity Protocol (TKIP) 802.1x for dynamic key distribution Message Integrity Check (MIC) a.k.a. michael WPA = 802.1x + TKIP + EAP + MIC Authentication Authorization OK! Integrity Confidentiality Chonbuk National University 2003/06/26 KRnet /44 by Gihwan Cho

38 Wi-Fi Protected Access (2/2) : WPA is snapshot of i Source : Wi-Fi Alliance Chonbuk National University 2003/06/26 KRnet /44 by Gihwan Cho

39 Content WLAN security overview i WLAN security components pre-rsn (Robust Security Network) security RSN security WPA (Wi-Fi Protected Access) WLAN security s Other issues Ad-hoc security pre-authentication & roaming security Chonbuk National University 2003/06/26 KRnet /44 by Gihwan Cho

40 Ad-Hoc Security (1/2) : security threatens eavesdropping message replay tampering impersonation denial of service traffic monitoring Chonbuk National University 2003/06/26 KRnet /44 by Gihwan Cho

41 Ad-Hoc Security (2/2) : i proposal Configure a network-wide pre-shared key and SSID Each STA in ad-hoc network initiates 4-way handshake based on PSK when it receives following from a STA with whom it hasn t established communication beacon and probe request with same SSID Each STA distributes its own Group Key to each of the other STAs in ad hoc network Chonbuk National University 2003/06/26 KRnet /44 by Gihwan Cho

42 802.1x Pre-Authentication (1/2) IEEE 802.1x pre-authentication has substantial advantages for enables a station to authenticate to multiple APs minimizes connectivity loss during roaming can authenticate and derive keys early on, use keys to protect as many messages as possible most management and control frames can be protected, with the exception of beacon and probe request/response Chonbuk National University 2003/06/26 KRnet /44 by Gihwan Cho

43 802.1x Pre-Authentication (2/2) AS 1. STA authenticates and associates to AP A on channel 6 channel channel 6 STA does passive or active scan, moves, selects AP B as potential roam AP B 2 2 AP A 2. STA authenticates to AP B before connectivity is lost to AP A 3 STA 1 can send unicast 802.1x data frames to AP B, forwarded by AP A and be authenticated can tune radio to channel STA re-associates to AP B Chonbuk National University 2003/06/26 KRnet /44 by Gihwan Cho

44 Conclusion : WLAN Security progress Authentication / Access Control 802.1x PSK MAC Integrity/Confidentiality SSID TKIP/MIC AES WEP/CRC WEP2 Dynamic WEP Ad-Hoc Security Preauthentication Prospective Security Chonbuk National University 2003/06/26 KRnet /44 by Gihwan Cho